Securing the Internet Facing EBusiness Suite - PowerPoint PPT Presentation

Loading...

PPT – Securing the Internet Facing EBusiness Suite PowerPoint presentation | free to download - id: 145aa1-MzYwM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Securing the Internet Facing EBusiness Suite

Description:

How many of you have an Internet Facing Oracle Application Module? Or ... Probably not required and overkill for internal users running on a switched network ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 41
Provided by: johnp232
Learn more at: http://www.norcaloaug.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Securing the Internet Facing EBusiness Suite


1
Securing the Internet Facing E-Business Suite
  • John PetersJRPJR, Inc.
  • john.peters_at_jrpjr.com

2
  • How many of you have an Internet Facing Oracle
    Application Module? Or Considered Buying one?
  • iStore
  • iCustomers
  • iSuppliers
  • iSupport
  • iRequitment
  • iReceivables
  • Others???
  • How many of you have thought about security?

3
What you should learn from this presentation
  • General Oracle Applications Security (why this
    is not enough)
  • Various Systems Configuration Options
  • An Optimal Solution at This Time
  • External Facing eBusiness Suite Functionality
    Issues

4
General Oracle Applications Security
  • Note 189367.1, 06-JAN-2005 Best Practices for
    Securing the E-Business Suite An excellent
    starting point
  • Covers each applications component
  • SQLNet Listener
  • Database
  • Applications Tier
  • eBusiness Suite
  • Desktop
  • OS

5
General Oracle Applications Security
  • Note 189367.1, 06-JAN-2005
  • But leaves many holes
  • Does not provide a configuration overview
  • Does not adequately address external eBusiness
    Suite modules
  • Just barely touches on OS Issues
  • Does not address user registration issues

6
Typical OraApps ConfigurationInternal Users Only
  • One or more physical servers for each Tier
  • Typically a router between the servers and the
    user
  • Connection between users and servers is typically
    non-SSL HTTP// (not HTTPS//)

7
Non-SSL vs SSLFor Internal Users Only
  • SSL encrypts communications between users and the
    Applications Tier
  • Sometimes SOX pushes this as a requirement
  • Possibly a 10-15 performance hit
  • Hardware Accelerators are available
  • Probably not required and overkill for internal
    users running on a switched network

8
SSL ImplementationFor Internal Users Only
  • A Guide to Understanding and Implementing SSL
    with Oracle Applications 11i, Note123718.1
  • This document changes so keep up to date with it
  • There are issues associated with some modules
    which call servlets
  • Configurator (even if you are not using it OM
    calls it for PTO Kits)
  • iPayment
  • Fix requires running a non-SSL web listener
  • Again SSL is probably not required for most sites

9
OraApps Internet Facing Configurations
  • Example 1No DMZ, Open Up Firewall
  • Example 2DMZ Application Server
  • Example 3DMZ Web Cache Server
  • Example 4DMZ Web Cache ServerDedicated External
    Applications Server

10
Example 1 Non-DMZ Configuration (do not do this)
  • Drawbacks
  • With same ports open that internal users use,
    internal functionality is exposed to the internet
  • Without SSL between the Internet Users Computer
    and Applications Tier communications can be
    eaves dropped on

11
Example 2 DMZ Application Server Configuration
  • Benefits
  • Internet Communication is done through SSL
  • SSL End Point is not on Internal Applications
    Tier
  • Communication between DMZ Applications Tier and
    DB Tier are done through SQLnet
  • DMZ must be compromised for a hacker to get in

12
Example 2 DMZ Application Server Configuration
  • Drawbacks
  • DMZ Applications Tier exposes too much to a
    possible hacker
  • DMZ Applications Tier must be patched and
    monitored
  • Not currently autoconfig and ad tools supported

13
Example 3 DMZ Web Cache Server
  • Benefits
  • All the benefits of Example 2
  • Ports are filtered, only http traffic between
    Internet and Applications Tier
  • Minimize software components in DMZ
  • Only one Applications Tier to patch
  • Can change URL, masking the Oracle
    ApplicationURLs were ? http//mysite.com/OA_HTML/
    URLs can be ? http//mysite.com/external/

14
Example 3 DMZ Web Cache Server
  • Drawbacks
  • Applications Tier still exposes too much to a
    possible hacker. You can deep link to JSP pages
    if you know their names.

15
What is Web Cache
  • Web Cache is a component of Oracle iAS 10G (and
    prior versions)
  • Web Cache in my example is installed without
    Oracle iAS 10G(standalone installation)
  • Minimal set of software
  • No Infrastructure DB
  • None of the other components of iAS
  • Perfect for a DMZ deployment
  • Please refer to the product documentation on
    OTNOracle Application Server 10g Release 2
    (10.1.2)
  • Please talk to your Oracle Sales Rep for
    licensing information.

16
What does Web Cache do?
  • Web Cache sits between the users and the origin
    servers (Applications Tier)
  • Web Cache stores or caches data into memory based
    on rules you specify
  • The primary purpose is to improve performance of
    web sites
  • Our purpose is to
  • Provide an SSL termination point
  • Change the URLs served up
  • Filter the URLs (not available yet)
  • Web Cache can also provide an error page should
    the Application Tier be down for maintenance

17
Example 4 DMZ Web Cache Dedicated Apps Tier
  • Benefits
  • External Applications Tier can have all of the
    components not required by the Internet Users
    removed. Thus preventing deep linking issues.

18
Example 4 DMZ Web Cache Dedicated Apps Tier
  • Drawbacks
  • External Applications Tier not supported by
    Oracle tools. You have to manually maintain this
    tier.

19
DMZ Reverse Proxy Server
  • Eliminates the need for Example 4s External
    Application Server
  • WebCache Server in DMZ will filter URLs
  • External Product Teams will supply URL patterns
  • Mitigating the unnecessary code problem
  • Described in Oracle OpenWorld Paper Oracle
    E-Business Suite Security Management by George
    Buzsaki, VP Applications Technology Products at
    Oracle

20
My Recommendation
  • Go with Example 3 for now.
  • You can hack the Apache web server configuration
    to provide some URL filtering
  • Keep an eye open for Oracles DMZ Reverse Proxy
    Server filtering release

21
How does it work (step 1)
  • Internet users go tohttps//mysite.com/external/
    login.jsp
  • Connects using SSL to port 443 of the DMZ Web
    Cache Server on NIC 1

22
How does it work (step 2)
  • Web Cache reviews URL request to see if page/data
    is cached in memory
  • If so it serves up page/data

23
How does it work (step 3)
  • Web Cache sends request out to the Application
    Tier (Origin Server) http//myserver.com8000/OA_
    HTML/login.jsp
  • Communication is through NIC 2 using non-SSL
  • Notice the URL changes
  • Application Tier responds, Web Cache relays
    page/data to the Internet User

24
Web Cache Server HW
  • My recommendation is a small server like
  • Dell PowerEdge 2850 or 1850
  • 2 CPU server
  • 4GB of RAM
  • Dual NICs
  • Run Linux on this Server

25
Web Cache Server NIC Configuration
  • Dual NICs allow us to configure them
  • One NIC Internet Facing
  • One NIC Application Tier Facing
  • We are effectively using this server to route
    traffic from one network to the other

26
Hardening the Linux OS
  • Reinstall the factory installed OS
  • Install only the essential components
  • Compilers
  • Kernal Source
  • X Windows/GNOME
  • Install an intrusion detection product like
    TripWire

27
TripWire
  • Creates a database of files on your server
    storing information like
  • Inode number
  • Multiple Checksums
  • File Size
  • File Permission
  • File Ownership
  • You create the Policy file describing what
    directories/files to track
  • Reports can be run periodically to tell you if
    something changed and are sent via email
  • TripWire DB and Policy Files are stored on
    another centralized server
  • This takes a while to setup and change the policy
    file to keep the noise to a minimum
  • Was an Open Source product, included on older
    Linux distributions
  • Now is commercial, www.tripwire.com

28
Keep Linux Patched
  • OS Security issues dont just exist for Microsoft
    products
  • Subscribe to your Linux vendors patching/support
    service
  • Emails will alert you when fixes are available
    and are tailored to your install
  • The automated tools for patching the OS are
    fairly easy to use

29
Dont forget the TEST instance
  • PROD
  • TEST

30
Support Issues
  • Down time for patching is now a bigger deal with
    External Users
  • Web Cache can serve up System Down For
    Maintenance messages to External Users, rather
    than no server found browser errors
  • What was 6am to 6pm support, now turns into 24x7
  • Who do external users contact for support?

31
User Registration Issues
  • All External Facing eBusiness Suite Applications
    utilize FND_USER
  • All of these non-company resources have accounts
    on your system
  • iStore Users
  • iReceivables Users
  • iSupplier Users
  • iRecruitment Users

32
How to know who is who
  • Come up with a Userid Standard for both classes
    of users
  • Internal Users
  • External Users
  • Internal Usersltfirst name initialgtltlast
    namegtltwindows logingtjsmith
  • External Usersltemail addressgtjoe.smith_at_mycustome
    r.com

33
Internal vs External
  • They are different
  • Internal and External differences
  • Password aging
  • Handling of Password reset requests
  • Responsibility requests
  • Responsibility verifications
  • End date
  • Also eBusiness Suite Record History is instantly
    visible and identifiable.

34
User Registration Page Issues
  • iStores user registration page inserts FND_USER
    records
  • User records can not be purged
  • Internal and External Users are mixed together
  • (use a convention of email address for external
    users)
  • They are routed for approval but if denied they
    are unusable forever
  • Approval process is really insufficient for most
    business cases

35
User Registration Page Issues (cont.)
  • iStores user registration page requests the
    Party Number from the customer registering.
  • How many customers know they are 123456
  • If they enter 123465 they are linked to a
    completely different customer
  • Once incorrectly linked it is almost impossible
    to correct in CRM, FND_USER, TCA
  • FND_USER record is lost for further use

36
User Registration Page Issues (cont.)
  • Soution
  • Create a custom form and table
  • External userids request are stored in the custom
    table for review
  • Data is reviewed and if okay entered by internal
    resources into the Oracle Applications
    registration processes to ensure its accuracy
  • Denial of Service attacks will fill this custom
    table which we can delete records from. This
    object can be created with no redo log actions to
    minimize impact on archive logs if required.

37
Summary
  • External Facing eBusiness Suite modules bring
    Security issues to light
  • You might ask, Why do this to yourself?
  • There are legitimate business reasons to use
    External Facing eBusiness Suite modules
  • Just go into them with open eyes and an
    understanding of what you are getting into

38
Additional References
  • Note189367.1, 06-JAN-2005 Best Practices for
    Securing the E-Business Suite
  • Note243324.1, 08-JUL-2003 Securing Oracle
    E-Business Suite for Internet Access by Suppliers
  • Note229335.1, 19-MAY-2004 Best Practices for
    Securing Oracle E-Business Suite for Internet
    Access

39
Additional Book References
  • Linux Security Cookbook
  • by Daniel J. Barrett, Richard E. Silverman,
    Robert G. Byrnes O'Reilly
  • Real World Linux Security Intrusion Prevention,
    Detection and Recovery
  • by Bob ToxenPrentice Hall PTR

40
  • My contact information
  • John Petersjohn.peters_at_jrpjr.com
    http//www.jrpjr.com
  • Additional reference papers can be found
    athttp//www.norcaloaug.org
  • http//www.jrpjr.com
About PowerShow.com